How Much Does a Data Breach Cost a Business?

Another month goes by and another big brand is left red-faced at the center of a major hacking scandal. In the last two years, LinkedIn, Tumblr and Adult Friend Finder¹ have all been hit hard by major hacks, and the May 2017 WannaCry ransomware attack has proved that even hospitals and other public services are not safe.²

The full details of the attack are yet to surface, but an estimated 200,000 computers spread across 150 countries were hit, with FedEx, Nissan, and the UK’s National Health Service (NHS) among the victims. Reports suggest it’s one of the biggest global ransomware attacks ever, and appears to have stemmed from those attacked running older, unsupported Windows operating systems.

As well as being a huge embarrassment for the organizations involved, the direct and indirect financial cost of such an attack can be gigantic. Over in Europe, the 2016 announcement of the EU General Data Protection Regulation (GDPR) means business owners who don’t protect their customers’ data adequately can face eye-watering fines.

But, keeping your business safely secured from the outside world alone isn’t always enough. Insider data breaches can equal big dollars or disruption for rogue employees keen to make a fast buck or settle a personal score. While more innocent employees may require training to prevent falling foul to a phishing scam from an external source that could lead to a breach.

So, what is the true cost of a data security breach, and what can brands learn from cases gone by? If history tells us one thing, it’s that no brand is too big to take an almighty fall.

AT&T found itself in hot water when 43 employees across three call centers accessed the names and social security numbers of around 280,000 US customers. Taking advantage of data stored without sufficient authorization, the perps sold the data on to third parties, who then used AT&T’s online portal to submit unlock requests for close to 290,000 cell phones.

Once unlocked, the phones could then be sold on to secondary vendors, much like legitimate second-hand gadgets. And, if being stabbed in the back by your own employees wasn’t bad enough, the telecommunications titan was hit with a $25m fine by the Federal Communications Commission for violating consumer privacy with its lackluster security measures.

AT&T was also ordered to notify all customers affected by the hack, and offer them free credit monitoring services in Colombia and the Philippines.

In 2014, three years after the PlayStation Network was hit, Sony was thrown into chaos when Sony Pictures was hacked. Just weeks prior to the attack, Sony had been in talks with a threat-intelligence firm in a bid to tighten up security. But this proved to be too little too late. In November 2014, hackers took over Sony’s computer network, stealing data before rendering the entire system useless.

In the process, unreleased films such as Fury and Mr Turner were leaked, and Sony was threatened with terrorist attacks unless it pulled the release of The Interview, which had caused controversy in North Korea for centering on a bid to assassinate leader Kim Jong-un. Stolen data also included Social Security numbers of over 47,000 employees, including celebrities.

Rumors that The Guardians of Peace group that was behind the attack originated from North Korea have never been confirmed by the FBI.

While the initial cost was estimated to be in the region of $99m, Sony later reported the real amount was far less, with much of the damage covered by insurance. Sony did admit to spending over $14m to investigate the case and tighten up its lackluster security, and the company’s shares fell as much as 10% in the weeks after the attack.

How do data breaches affect company value? Insight from the stock markets:

David Cheetham, Market Analyst at XTB Online Trading, an online forex and CFD broker, says: “The true cost of a data breach to a business is far more than simply the cost of improving security to prevent a future recurrence. The main damage is done to the reputation of the brand. While this is intangible and impossible to state with certainty, a rough approximation can be made from the reaction in the share price.

“For instance, in the two breaches seen at Sony, the drop in the share price dwarfed the cost of preventative measures. This is still an imperfect measure as the lasting reputational damage is difficult to quantify, and it is fairly safe to assume that the decline in a company’s value borders on the conservative side compared to potential estimates for the overall cost to the brand’s image.

“With the intense scrutiny surrounding possible interference in the US election due to hacking from Russia, it is clear that online security breaches can go right to the very top. These incidents are becoming more prevalent and with several of them seeing a recurrence shortly after, firms will not only be looking to ramp up their cyber defenses to prevent one in the first place, but will likely have contingencies should one occur to prevent a repeat.

“Due to the relative costs associated with a breach it would seem prudent for a business to act swiftly to do all it can to ensure there is no repeat, and avoid a situation where the attack seemingly exposes a systemic weakness.”

The Ashley Madison scandal was one of the biggest stories of 2015, when the controversial dating site became the victim one of the most damaging personal data hacks of all time. A group identifying themselves as The Impact Team stole the names, email addresses and sexual preferences of 36 million men and women looking to engage in affairs, before dumping them on the web for all to see.

Countless users faced relationship breakdowns, with one man taking his own life for fear his wife would find out about his extramarital affairs. To add insult to injury, it came to light that customers who had paid Ashley Madison $19 to have their account records wiped were exposed.

In terms of a penalty, Ashley Madison got off lightly, paying just $1.6m of the $17m the government were originally seeking, due to fact they simply couldn’t afford such a steep fine. It was estimated that the company could face lawsuit charges from angry customers in the region of $498m, however the scandal didn’t stop more than 4 million new users signing up to the service in the months following the attack.

Speaking of the attack with Motherboard, The Impact Team boasted how easy the hack was, due to the site having minimal security and nothing to bypass. It would appear this particular attack could have been prevented if the company invested in more sophisticated security measures.

In late 2016, it emerged search engine giant Yahoo had fallen victim to one of the biggest data hacks of all time. 1 billion accounts were compromised, with customer names, email addresses, phone numbers, and both encrypted and unencrypted security questions and answers among the stolen data.

But, what set this case apart was the time it took Yahoo to own up to the incident. The breach, which apparently took place in 2013, was discovered in 2014 but it still took the company a further two years to go to press.

The attack came at a time when Yahoo was in merger talks with wireless company Verizon. Luckily for Yahoo, an investigation by Verizon confirmed far fewer of the search engine and email service’s customers left than expected.

This resulted in the $4.81bn takeover deal being cut by $3.5m, which many felt was low considering the amount of data stolen and time taken for Yahoo to come clean. Yahoo’s share prices dropped by as much as 7% following the attack.

In March 2017, the US Justice Department revealed two Russian spies7 had been charged over the incident, along with two unnamed accomplices.

UK phone and broadband company TalkTalk also came under fire for the way it reacted to a major attack after it admitted that close to 157,0008 customers had their data stolen. Not only did it transpire the company had not done enough to secure the private data of its customers, but it also prevented any customers unhappy with the events from breaking their contracts without incurring charges.

This embarrassing incident left TalkTalk with a bill to the tune of around $77m, share prices fell by 7%, and 101,000 customers up and left, proving that the way in which such a hack is handled really does matter.

On top of that, it transpired that a 16-year-old boy was among the seven people responsible for the attack, which involved using a hacking tool to seek out vulnerabilities on targeted websites. Speaking to magistrates, the boy commented: “I didn’t think of the consequences at the time. I was just showing off to mates.”

TalkTalk were fined $512k in October 2016 for security failings, which were said to allow access to customers’ data with great ease.

Sometimes it seems even employees with the best intentions can inadvertently cause a serious data breach. Snapchat learned this lesson the hard way in February 2016, when a hacker posing as its CEO, Evan Spiegel, emailed an employee from a fake account requesting the names, social security numbers, and salary data of around 700 current and former employees.

This case highlights the need for companies to provide sufficient employee training to enable them to spot the warning signs. Snapchat released a blog post apologizing for the incident, and had to provide those affected with two years of identity theft protection and work closely with the FBI to find the perpetrator behind the scam.

With the world still reeling from the WannaCry attack, it appears neither big businesses or non-profit organizations are safe. Worse still, few companies appear to be learning lessons from past cases.

It seems prevention is better than cure here: it’s worth investing in and reviewing a robust data security strategy. And, should the worst happen, an open and honest policy on owning up to it goes a long way in terms of protecting a brand’s image.

Using a sturdy cloud solution like Egnyte can make it less likely careless employees could expose sensitive documents and information, while also making it harder for external threats to gain access to your internal file sharing.